Re: [PHP] PHP5 & Commercial Development
Eric Gorr skrev: I haven't tracked this particular issue, but I know when PHP5 was first released is wasn't recommended in a commercial/production environment. However, a lot of time has passed and we're at v5.2 now...have things changed? Have Google&Yahoo, for example, moved to PHP5? Or is PHP4 still the recommendation for such environments? My two cents: Any modern PHP-app should use prepared statements for efficiency and security. PEAR-DB and some other PHP 4 workable abstraction layers can emulate this, but it's only in PHP 5 you get the real thing, with mysqli or PDO, or a PHP class that's built on top of such an interface. To me, that's the must have feature of PHP 5 I can't be without. Nor do I think one could call him-/herself professional still doing old school mysql-interface calls to the DBMS. Lars Gunther -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP5 & Commercial Development
Robert Cummings skrev: I sincerely question the competence of someone who advocates a one size fits all approach to programming. There are many reasons why a developer may work with the old-school interface calls. For instance they may be supporting an old school application. They might be writing their own abstract layer. They might be optimizing an extremely loaded system whereby explicitly using the API calls improves speed. Prepared statements only improve speed when making multiple queries to the database having the same format. They slow things down when making unique queries. Any developer worth his salt doesn't need prepared statements to improve security, and assuming prepared statements will protect you is silly since they cannot protect against everything. A professional knows when to use any given approach given the environment and requirements. Cheers, Rob. So I was perhaps a bit inflammatory in my post. But I do not see myself completely rebutted. 1. Maintaining legacy apps does not fall under the categories I was referring to. If you are bound by legacy constraints it is another ballgame. 2. In a short mail like this one there is not room to expand every minute detail. I do realise that PDO is not the best way to go for every app. But in saying that prepared statements is a really good way to protect against SQL-injection, I'm just echoing Ilia Alshanetsky (spelling?) and a few other rather renowned security experts. Of course one should always have a "defense in depth", though. 3. Speed loss from prepared statements are usually negligible even for a single query. There are tests published on the net. And if one wants speed, one should probably consider a caching layer between PHP and ones DBMS. The OO-model in PHP 5 would make such multi tiered apps simpler to develop as well. The question PHP 4 or PHP 5: If you stay with 4 you are bound to a one size fits all solution. In PHP 5 you can use DB-specific drivers or PDO or a PHP-based abstraction layer. That's *more* choice, not less! To summarize: With PDO or mysqli I can use both old school SQL and prepared statements, in PHP 4 there are fewer options! My case for PHP 5 stands intact. And finally: With each new release of PHP we can expect improvements in PDO, making it a more future safe alternative. Lars Gunther -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
